Documenting the Nintendo Switch hardware, software, and development.
ROhan is an exploit to enable userland arbitrary code execution on Switch OS 3.0. It works due to Nintendo’s code making a number of assumptions that don’t hold when sm:h is in play:
Both of these changes mark theoretical improvements to the system's security. However, sm:h grants full access to the services API – including both registering and unregistering existing services. As such, the exploit flow looks like this:
The reason we need a compromised sysmodule is that the ReplyAndReceive syscall, required to imitate a service, simply doesn’t exist in the browser. As such, we hijack an existing sysmodule to perform this attack.
In 3.0, the sdb sysmodule contains a number of bugs that make it a prime target. We currently have an arbitrary write and control of the execution flow; what we don’t have is an actual ROP/JOP-chain to allow arbitrary function calling. This is the sole piece missing for userland ACE on the Switch.